This makes website SQL Injectable - SQL Code review High detailed tutorial

Monday, August 15, 2011

Hello all,

i ve found hundres of tutorals about Sql Injection, but nothing that shows why and how a website gets SQL Injectable. This will be my Topic here. This is my first tutorial so don´t be too hard to me ;) but if you ve got question or things which my be wrong here, than don´t be afraid! contact me :) If you think this is good, than show it to me please, i ll try to gave you some more :) ok let´s start!

Reviewing the Source Code of a Webpage
The goal of the code review is to locate and analyze areas of code which may have application security implications.

What makes a Website SQL Injectable?


Code:
1. Example: $result = mysql_query(“Select * From table Where column = ‘ $_GET[“param”] ‘ “);

This code is vulnurable, but why?
The User Input is passed directly to a dynamically constructed SQL statement and is executed without first being validated.

2. Example:

Code:
$result = mysql_query(“SELECT * FROM table WHERE column = ‘ $param’ “);

Is this code vulnerable too?
To make an informed decision as to whether a vulnerability exist, you need to trace the variable to its origin and follow its flow through the application.

To do this you need to identify the entry points into the application (called sink source) and search the source code to identify at what point the $param variable is assigned a value. You are trying to identify a line of PHP code that is similar to that:

Code:
$param = $_GET[“param”];

This line assings the user-controlled data to the $param variable.
Once an entry point is identified, it is important to trace the input to discover where and how the data is used.

If you trace it and found the following two lines of PHP code you could safely say, there is a vulnerability. The following code is vulnerable to SQL injection because a tainted variable ($param) is passed directly to a dynamicall constructed SQL statement (sink) and is executed.

Code:
$param = $_GET[“param”];
$result = mysql_query(“SELECT * FROM table WHERE field = ‘$param’ “);

How could you find queries with direct user input?
You can use the following command to recursively search a directory of source files for the use of mssql_query(), mysql_db_query(), and mysql_query() with direct user input into an SQL-statement.

Code:
$ grep –r –n “\(mysql\|mssql\|mysql_db\)_query\(.*\$_\(GET\|\POST\).*\)” src/ | awk –F: ‘{print “filename: “$1”\nline: “$2”\nmatch: “$3”\n\n”}’

Result:

Filename:src/mssql_query.injectable.php

Line:11
Match: $result = mssql_query(“SELECT * FROM TBL WHERE COLUMN = ‘ $_GET[‘var’]’ “);

Filename: src/mysql_query.injectable.php

Line:13
Match: $result = mysql_query(“SELECT * FROM TBL WHERE COLUMN = ‘ $_GET[‘var’]’ “),$link);

Another possible output:

Filename: src/SQLi.MySQL.vulnerable.php

Line:20
Match: $result = mysql_query ($sql);

The mysql_query() function is used to send a query to the currently active database.

You can see from the line found that the function is in usw. However, you do not know what the value of the $sql variable is; it probably contains an SQL statement to execute but you do not know whether it was build using user input or whether it is tainted. So, at this stage, you cannot say whether a vulnerability exist. You need to trace the $sql variable.

To do this you can use the following command:

Code:
$ grep – r –n “\$sql” src/ | awk –F:  ‘{print “filename: “$”\nline: “$2$”\nmatch: “$3”\n\n”]’

The problem problem with the preceding command is that often, developers reuse variables or use common names, so you may end up with some results that do not correspond to the function you are investigating. You can improve the situation by expanding the command to search for common SQL commands. You could try the following grep command to identify points in the code where dynamic SQL statements are created:

Code:
$ grep –I – r –n  “\$sql =.*\”\ (SELECT\UPDATE\|INSERP\)”  src/ | awk –F:  ‘{print “filename: “$”\nline: “$2$”\nmatch: “$3”\n\n”]’

If you are lucky, you will find only one match, as illustrated here:

Filename: src/SQLi.MySQL.Vulnerable.php

Line: 20
Match: $sql = “Select * From table Where field = ‘$_Get[‘input’]’”;

Of course there are many tools which will do it automatically but you should be clear about that they won´t get all of them or maybe producing “false postives” (there is no/or an injection possible, where the program may say there isn’t).

Code:
Bonus material:
Oci_parese() parses a statement before it is executed (prior to oci_execute() / ociexecute())
Ora_parse() Parses a statement before it is executed (prior to ora_exec())
Mssql_bind() Adds a paramenter to a storded procedure (prior to mssql_execute())
Mssql_execute() Executes a stored procedure
Odbc_prepare() Prepares a statement for execution (prio to odbc_execute())
Odbc_execute() Executes an SQL statement
Odbc_exec() Prepares and executes an SQL statement
Examples for some queries:
//mssql_query() – sens a query to the currently active database
$result = mssql_query($sql);
//mysql_db_query() – selects a database, and executes a quer on it
$result = mysql_db_query($db, $sql);
//mysql_db_query() – selects a database, and executes a quer on it
$result = mysql_db_query($db, $sql);

This tutoral took some time, so please if you visited it and think it´s good, just post a thanks that people are motivated, to go on with stuff like that :)

some Scanners:
- Yet Another Source code Analyer (YASCA)
- LAPSE
- AppCodeScan
- Pixy
- Security Compass Web Application Analysis Tool (SWAAT)
- Microsoft Source Code Analyzer for SQL Injection
- Microsoft Code Analysis Tool .NET (CAT.NET)
- Ounce
- Code Secure

thanks! :)
Share this article :

0 comments:

Speak up your mind

Tell us what you're thinking... !

 
Support : Creating Website
Copyright © 2012. Your Unofficial Guide - All Rights Reserved
Proudly powered by Blogger